Hello community, I am new to the list and, I hope everyone is well. I have running a squid server on debian 7. My squid version is 3.5.27 manually compiled with LibreSSL 2.6.0 due to problems with Dropbox. After compiling squid with LibreSSL, the error "unknown cipher returned" has disappeared and dropbox worked correctly. Everything works quite well, except that in /var/log/squid/cache.log there are 5 types of problems (at least): [1] 2018/06/08 17:14:05 kid1| Error negotiating SSL connection on FD 7: error:14037418:SSL routines:ACCEPT_SR_KEY_EXCH:tlsv1 alert unknown ca (1/0) [2] 2018/06/08 17:14:39 kid1| Error negotiating SSL on FD 11: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed (1/-1/0) [3] 2018/06/08 18:35:43 kid1| Error negotiating SSL connection on FD 10: (104) Connection reset by peer [4] 2018/06/08 18:56:52 kid1| Error negotiating SSL on FD 13: error:00000000:lib(0):func(0):reason(0) (5/-1/104) [5] 2018/06/08 19:20:06 kid1| Error negotiating SSL connection on FD 9: error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt (1/-1) However I think (I'm not sure but ...), that the most serious is the number [2]: SSL negotiating error on FD 11: error: 14007086: SSL routines: CONNECT_CR_CERT:certificate verify failed (1/-1/0) The problem I have it with WhatsApp from mobile devices ... the application tries to connect to the network indefinitely without success, and the error that appears (at that moment) is [2]: (...) certificate verify failed (1/-1/0) This is the most relevant configuration of squid currently: http_port 3128 http_port 3129 intercept https_port 3130 intercept ssl-bump \ cert=/etc/squid/ssl_cert/squidCA.pem \ key=/etc/squid/ssl_cert/squidCA.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB tls-dh=/etc/squid/ssl_cert/dhparam.pem sslcrtd_program /lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslproxy_cafile /etc/squid/ssl_cert/cert.pem # LibreSSL SLL CA Bundle sslproxy_foreign_intermediate_certs /etc/squid/ssl_cert/intermediate.pem sslproxy_options SINGLE_DH_USE sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:E ECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:! aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS acl noBumpSites ssl::server_name_regex -i "/etc/squid/url.nobump" acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 all ssl_bump peek step2 nobumpSites ssl_bump splice step3 nobumpSites ssl_bump stare step2 all ssl_bump bump step3 all (...) In the file "/etc/squid/url.nobump", I have expressions like these: (...) # IM \.skype\.com$ \.whatsapp\.com$ \.whatsapp\.net$ (...) I have read whatsapp, facebook, and many others servers use "Certificate Pinning" to avoid "Man-in-the-middle" attacks. But I can not find any solution/fix or workaround. The server certificate is installed on mobile devices. The flaw occurs with both Android and iOS devices. Any kind of suggestion is welcome; both if there is something wrong in the configuration written above, or better yet if someone knows the cause and solution of this problem. Thank you very much to all! _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
